Each computer that connects to your corporate network constitutes a security domain boundary. Nearly all firewall vendors offer a line of similar firewalls for environments from the smallest SOHO to the enterprise. But traveling users have special needs that are difficult to address with hardware firewalls. Thus desktop firewalls are coming into their own, as network managers realize that, regardless of where users are connecting from, they are vulnerable to attack.

VPNs extend the network perimeter to remote users and require the same security as the LAN-WAN edge. A centrally managed desktop firewall is a natural way to protect traveling users.

Some, like Internet Security Systems' BlackICE, simply provide access control to network ports, similar to a stateful packet-filtering firewall. The problem with this is that any application can access the Internet over the open ports. That's good for protecting the desktop from external intruders, but once a Trojan is installed locally, all bets are off. Desktop firewalls that provide access control to network resources--ZoneAlarm and InfoExpress, for example--let policies be defined on a per-application basis.

		Survivor Intro Security Network & Systems Management Mobile & Wireless Technology Digital Convergence Service Providers & Outsourcing Business Applications Infrastructure Data Management & Storage Corporate Profiles Letters Full Nelson The Inside Story

Of course, users can turn off firewall and virus protection if those applications are getting in the way, so security polices in products such as Check Point's SecureClient NG can state that security applications must be installed, running and configured prior to letting the end user connect back to the central site.

Likewise, VPN products and services are enhancing features such as NAT traversal, interoperable remote client support, and increased speeds and feeds support. Whether a VPN client supports a full firewall or simple split tunneling is vendor-dependent. However, look for more client vendors to support firewall, VPNs and virus scanning as a suite of managed applications. From full-blown desktop security suites, like Network Associates' PGP Corporate Desktop Security, to Cisco Systems' partnering with BlackICE and ZoneAlarm Pro firewall in the Unity Client, the problems with supporting VPNs and firewall clients should lessen.

Access Control for Unmanaged Users

Securing the perimeter is just the beginning. Those with Web sites that serve active, dynamic content to external users should realize that there is often a path from the untrusted network past your security defenses into back-end databases. Even so, Web applications, whether you buy or build them, are vulnerable to all kinds of attacks, including URL mangling, CGI, PERL, PHP vulnerabilities and data manipulation. These are the types of application-level attacks against poor application development that allow crackers to bypass access controls and plunder your data.

There's little you can do about many application-level attacks except institute programming-verification procedures to make sure there are no buffer overflows and that valid data submitted by the user is scrubbed of invalid input, like ASCII/Unicode escape codes.

Two types of applications can negate some of these issues. The first, application proxy firewalls, may be able to block data passing the proxy selectively based on method used or data size. However, proxies protect only against protocol-level attacks. Stopping data manipulation is a far more difficult proposition. Products such as Sanctum's AppShield provide an extra layer of protection by dynamically tracking the types of data passed to and from the Web application and selectively scrubbing invalid data.

Providing specific access to specific users is one way you can build access control into Web applications--provided you have the developer talent on staff. But for every application developed, the access controls will have to be built in anew, and developed access control methods typically are not very flexible nor scalable, from a management perspective. Web-based policy management tools, such as Securant Technologies' Clear Trust SecureControl or Oblix's NetPoint, provide development and integration tools to add access control to any Web application from the page level down to form and field definitions. In addition, Web access-control systems provide extensive auditing and logging facilities so authorized and unauthorized access can be monitored.

Who Are You, Really?

Strong access control requires strong authentication, but the prevailing authentication method for standalone and networked applications is user name and password pairs. Of course, stealing and guessing passwords is a problem, so secure tokens and digital certificates have been hailed as alternative authentication methods. However, these devices are locked by a user name and password or a PIN.

There are two drivers for biometric technology. The main one is that biometric methods provide stronger authentication because, the theory goes, forging a fingerprint or retinal scan is much more difficult than shoulder-surfing a password. Although this is probably true, for the most part imposters have used simple ruses to trick a biometric system into a false authentication. The second factor is that with a biometric-authentication method, you don't have to remember multiple passwords.

For biometrics to take off, application support is a must. Integration is growing, but for the most part, it's on a case-by-case basis. For example, Microsoft Windows 2000 and XP offer an easier integration path by using cryptographic service providers as the integration point.